Securing websites with SSL is crucial for both security and SEO. Recently, I needed to set up a wildcard SSL certificate for my subdomains using Certbot and configure Nginx on my Debian server. While the process seemed daunting at first, breaking it down into steps made it manageable.
Here’s how I did it
Prerequisites
Before diving into the configuration, I ensured my setup met the following requirements:
✅ Wildcard DNS record: I added an A record for all subdomains:
- Type: A
- Name:
*(wildcard for subdomains) - Value: My Debian server’s public IP
- TTL: 600 seconds (10 minutes)
✅ Firewall access: Opened ports 80 and 443 to allow HTTP and HTTPS traffic.
✅ Installed Nginx: Since I was using it as a reverse proxy, it needed to be present.
✅ Installed Certbot: The tool used to generate and renew SSL certificates.
With these prerequisites in place, I moved on to the next step.
Generating Wildcard SSL Certificates
The first challenge was to get a wildcard SSL certificate from Let’s Encrypt. Wildcard certificates cover all subdomains (e.g., app.example.com, blog.example.com, etc.), making them extremely useful.
I ran the following command
sudo certbot certonly --manual --preferred-challenges=dns --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.example.comCertbot prompted me to enter my email for renewal notifications. Once I entered it, I received a TXT record that needed to be added to my DNS settings for domain verification.
💡 Important: The process may take a few minutes to propagate. I used an online tool like DNS Checker to confirm the TXT record was visible globally before proceeding.
Once verified, Certbot generated the certificates and stored them under:
📁 /etc/letsencrypt/live/example.com/
fullchain.pem(SSL certificate)privkey.pem(Private key)
With my certificate in place, it was time to configure Nginx.
Configuring Nginx for SSL
To ensure all subdomains were secured, I updated my Nginx configuration.
I created a new configuration file for the wildcard domain
server {
listen 80;
listen [::]:80;
server_name *.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name *.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Additional SSL settings can be added here
}Then, I enabled the configuration
sudo ln -s /etc/nginx/sites-available/wildcard.example.com /etc/nginx/sites-enabled/Before restarting Nginx, I always test the configuration
sudo nginx -tIf everything was okay, I reloaded Nginx
sudo systemctl reload nginxNow, my wildcard SSL setup was live!
Automating SSL Renewal
Let’s Encrypt certificates expire every 90 days, so automatic renewal is necessary. I added a cron job
sudo crontab -eAt the end of the file, I added
0 0 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl reload nginx"This scheduled Certbot to renew the certificate daily at midnight and reload Nginx if the certificate was renewed.
Final Thoughts
Setting up wildcard SSL with Nginx was a valuable learning experience. With the certificate in place, I could now host multiple secure subdomains on my server without additional configurations.
If you’re working with subdomains and need a secure, automated SSL solution, I highly recommend this approach!
🔹 Have you set up wildcard SSL before? Let me know your experience in the comments! 🚀
